Decode obfuscated JavaScript

2023-03-08 20:27 问答作者：

Due to stupidity I've encoded some JavaScript code (an iframe code) using one of the sites that gives this Free Javascript Obfuscator called ( javascriptobfuscator dot com )

var _0xb869=["\x3C\x49\x46\x52\x41\x4D\x45\x20\x46\x52\x41\x4D\x45\x42\x4F\x52\x44\x45\x52\x3D\x22\x30\x22\x20\x69\x64\x3D\x22\x74\x68\x65\x5F\x69\x66\x72\x61\x6D\x65\x22\x20\x6D\x61\x72\x67\x69\x6E\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x6D\x开发者_运维知识库61\x72\x67\x69\x6E\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x76\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x68\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x32\x30\x37\x70\x78\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x37\x37\x70\x78\x22\x20\x20\x61\x6C\x6C\x6F\x77\x74\x72\x61\x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x3D\x22\x74\x72\x75\x65\x22\x20\x41\x4C\x49\x47\x4E\x3D\x22\x43\x45\x4E\x54\x45\x52\x22\x20\x53\x43\x52\x4F\x4C\x4C\x49\x4E\x47\x3D\x22\x6E\x6F\x22\x20\x53\x52\x43\x3D\x22","\x2F\x77\x69\x64\x73\x63\x2E\x70\x68\x70\x3F\x69\x64\x3D","\x22\x3E\x3C\x2F\x49\x46\x52\x41\x4D\x45\x3E","\x77\x72\x69\x74\x65\x6C\x6E"];document[_0xb869[3]](_0xb869[0]+script_path+_0xb869[1]+id_path+_0xb869[2]);

I've forgotten what it was. All I know it was like (iframe html code)

Is there any way to decode it back?

The string is easily decoded in your browser’s built-in JavaScript console. Just paste the Array contents and you will see the contents as a decoded array.

You can render the text directly into a text field to get the ASCII/Unicode representation.

Take this a step further and use a string literal to replace the array index look-ups with their values.

var script = `var _0xb869=["\x3C\x49\x46\x52\x41\x4D\x45\x20\x46\x52\x41\x4D\x45\x42\x4F\x52\x44\x45\x52\x3D\x22\x30\x22\x20\x69\x64\x3D\x22\x74\x68\x65\x5F\x69\x66\x72\x61\x6D\x65\x22\x20\x6D\x61\x72\x67\x69\x6E\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x6D\x61\x72\x67\x69\x6E\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x76\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x68\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x32\x30\x37\x70\x78\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x37\x37\x70\x78\x22\x20\x20\x61\x6C\x6C\x6F\x77\x74\x72\x61\x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x3D\x22\x74\x72\x75\x65\x22\x20\x41\x4C\x49\x47\x4E\x3D\x22\x43\x45\x4E\x54\x45\x52\x22\x20\x53\x43\x52\x4F\x4C\x4C\x49\x4E\x47\x3D\x22\x6E\x6F\x22\x20\x53\x52\x43\x3D\x22","\x2F\x77\x69\x64\x73\x63\x2E\x70\x68\x70\x3F\x69\x64\x3D","\x22\x3E\x3C\x2F\x49\x46\x52\x41\x4D\x45\x3E","\x77\x72\x69\x74\x65\x6C\x6E"];document[_0xb869[3]](_0xb869[0]+script_path+_0xb869[1]+id_path+_0xb869[2]);`

document.querySelector('#rendered').value = script;
document.querySelector('#decoded').value  = deobfuscate(script);

function deobfuscate(obfuscatedScript) {
  var _0xb869 = ["\x3C\x49\x46\x52\x41\x4D\x45\x20\x46\x52\x41\x4D\x45\x42\x4F\x52\x44\x45\x52\x3D\x22\x30\x22\x20\x69\x64\x3D\x22\x74\x68\x65\x5F\x69\x66\x72\x61\x6D\x65\x22\x20\x6D\x61\x72\x67\x69\x6E\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x6D\x61\x72\x67\x69\x6E\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x76\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x68\x73\x70\x61\x63\x65\x3D\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x32\x30\x37\x70\x78\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x37\x37\x70\x78\x22\x20\x20\x61\x6C\x6C\x6F\x77\x74\x72\x61\x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x3D\x22\x74\x72\x75\x65\x22\x20\x41\x4C\x49\x47\x4E\x3D\x22\x43\x45\x4E\x54\x45\x52\x22\x20\x53\x43\x52\x4F\x4C\x4C\x49\x4E\x47\x3D\x22\x6E\x6F\x22\x20\x53\x52\x43\x3D\x22","\x2F\x77\x69\x64\x73\x63\x2E\x70\x68\x70\x3F\x69\x64\x3D","\x22\x3E\x3C\x2F\x49\x46\x52\x41\x4D\x45\x3E","\x77\x72\x69\x74\x65\x6C\x6E"];
  return bracketToDotNotation(`document["${_0xb869[3]}"]("${_0xb869[0]}"+script_path+"${_0xb869[1]}"+id_path+"${_0xb869[2]}");`).replace(/\s+/g, ' ').toLowerCase();
}

function bracketToDotNotation(input) {
  return input.replace(/(?<=\w)\["?(\w+)"?\]/g, '.$1');
}

html,
body, 
textarea {
  width: 100%;
  height: 100%;
}

html,
body {
  margin: 0;
  padding: 0;
}

textarea {
  width: calc(100% - 2px);
  height: calc(50% - 4px);
  margin: 0;
  padding: 0;
  resize: none;
  overflow: auto;
}

<link href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css" rel="stylesheet"/>
<textarea id="rendered"></textarea>
<textarea id="decoded"></textarea>

To avoid this problem in the future, you can adopt a workflow where you separate your source code from the js you deploy. Just obfuscate / minify / compile before putting the code into production, and keep human-readable source to work from elsewhere.

/** @type {Array} */
var _0xb869 = ['<IFRAME FRAMEBORDER="0" id="the_iframe" marginwidth="0" marginheight="0" vspace="0" hspace="0" width="207px" height="177px"  allowtransparency="true" ALIGN="CENTER" SCROLLING="no" SRC="', "/widsc.php?id=", '"></IFRAME>', "writeln"];
document[_0xb869[3]](_0xb869[0] + script_path + _0xb869[1] + id_path + _0xb869[2]);

继续阅读：javascript

Decode obfuscated JavaScript

更多精彩内容

精彩评论

最新问答

海信ULED电视画质有什么不同的地方?？

钉子可以挂的住画框幕布吗？

哪里医院专治输卵管堵塞好？

外语基础薄弱的人出国自由行，带哪种翻译器比较好？？

输卵管积液手术价格？

问答排行榜

王昌瑞《潜梦追凶》剧组庆生新锐演员未来可期？

Is it allowed to ask users to enter credit card details for own payment method?

Escaping "<" in Perl-generated XML

imessage会显示已读吗？

微信重新建群怎么建？